Product Updates

We are happy to announce that the OAuth 2.0 authentication protocol will be enabled by default for the new release of CLI and IDE plugins.

What is OAuth 2.0?

OAuth2 is an open standard for enabling secure, controlled data access. This protocol relies on a pair of short-lived tokens with a built-in refresh mechanism instead of long-lived tokens. It's highly regarded across the industry.

This improvement will be included in the upcoming release of the CLI on Wednesday, August 28th, and the IDE plugins for Visual Studio Code, Jetbrains IDEs, Visual Studio, and Eclipse on Thursday, August 29th.

Things you should know about CLI authentication:

• Active users of the CLI will continue to be authenticated

• The 'snyk auth' command, when run locally, will use short-lived tokens to grant user access to Snyk CLI

• CI/CD use cases will continue as is for environment variable SNYK_TOKEN as well as snyk auth

• API keys and personal access tokens (PATs) experience remains unchanged

Things you should know about IDE plugin authentication:

• Active users will be prompted to re-authenticate upon the plugin's upgrade.

• There will be a temporary opportunity to return to the token-based authentication in plugin’s settings.

Troubleshooting

A new browser tab does not open automatically:

• Copy a provided URL to the clipboard

• Open a new browser tab manually and paste the URL

• Continue the authentication procedure

These changes will be reflected in Snyk's documentation over the next week.

OS Security policies can be configured to change the severity of matched vulnerabilities. (See Snyk documentation).

Till now, this change was not visible in IDE plugins.

With the new release, IDE plugins will show that "severity was changed to…" and mention the policy name that affected it.

This UI improvement is included in the upcoming release of plugins for Visual Studio Code, IntelliJ IDE, and Eclipse on Thursday, August 29th.

As part of ongoing efforts to make the Snyk Code engine faster, easier to use, and more accurate—we’re introducing an optimization that will improve analysis speed by 120%.

In addition to providing you faster feedback, we're also solving a longstanding precision issue that we know leads to false positives in production today. On average, you will see a 5% reduction in false positives for C++ and minor improvements to C#.

This change will be released on September 4th, 2024. Once released, no action is necessary—you'll begin to observe improvements in your tests going forward.

When viewing a “taint vulnerability” in Snyk Code, we provide a visualisation of the dataflow between the source and the sink. This helps you to get an understanding of the reported vulnerability, decide whether it a true positive and work on a fix.

In some cases, dataflow steps that are unnecessary for understanding the reported vulnerability can be added, which can make it harder to understand and mitigate the reported vulnerability.

Soon we will be rolling out an improvement which simplifies the dataflow view in the web app by showing only the steps necessary to understand taint flow vulnerabilities.

This UI improvement will become available to all Snyk Code users on Wednesday August 28th, and no other action is required.

We are pleased to introduce the new Quick Filters feature in the Asset Inventory. This feature is designed to streamline your filtering experience and speed up workflows, helping you focus on what matters most.

What is this feature about?

With Quick Filters, users can now quickly narrow down their Asset Inventory using predefined filters, helping users identify the most critical assets and eliminating the need to manually set multiple criteria.

After selecting a Quick Filter, the filters are automatically populated with the relevant attributes and values. Users can then apply the filters directly or further customize them to meet their specific needs. For those who prefer a manual approach, the option to set filters manually, as before, remains available.

We are excited to announce the General Availability of Workspaces. Following a successful open beta announced previously, this enhancement significantly improves the accuracy and reliability of Snyk’s SCM integration results, especially for large-scale enterprise environments. This capability also supports additional functionality and improvements we have planned in the future.

To maximize the benefits of this feature and provide a consistent user experience, Snyk strongly recommends enabling Workspaces across all your Snyk Organizations. To facilitate this, over the coming days we will be incrementally rolling out the ability to manage Workspaces at both the Snyk Organization and Snyk Group level.

Going forwards, Workspaces will be enabled by default for all new Snyk Organizations. Existing Organizations will be gradually transitioned to this new approach in the coming weeks. To request a deferral from the default settings, please opt-out here by September 20th, 2024.

For detailed information on Workspaces and its security measures, more details can be found in the docs, including information on how Workspaces supports more reliable results, how Workspaces supports more accurate results, and safeguards Snyk puts in place to ensure data is secure.

If you have any questions or require further assistance, please contact Support, or your dedicated Snyk account representative.

In May 2022 we announced the deprecation and end of life (EOL) plan for Snyk’s CLI container images (snyk/snyk-cli); following that, in May 2024 we announced the plan to EOL some additional Snyk container images (a subset of snyk/snyk images) with out-of-date open source components. We are adjusting our timeframe for the EOL.

Originally set for 12-Aug-2024, we are now extending the date to 09-Sep-2024. This change ensures you have ample time for a smooth transition. If you do not use Snyk’s container images as part of your testing toolchain, you are not affected by this EOL notice.

Here is what you need to know:

Impacted Images:

• Snyk CLI Images which were deprecated in 2022

• A subset of Snyk Images containing EoL software

Immediate Action required: Snyk customers using any of the listed images should start transitioning immediately.

Migration Guides: Snyk has documented the following migration guides to help customers take necessary steps.

• CircleCI migration guide: For customers using the scan-iac job will need to switch to using snyk/scan with the iac test command.

• Bitbucket migration guide: For customers using snyk-scan.

• GitHub Actions migration guide: For customers using actions containing Python 3.6, Python 3.7 or scala/sbt.

• Instructions for creating custom images to suit your needs

You can find previous product announcements about these changes inline:

• Final reminder on Snyk CLI Images and Snyk Images containing EoL software

• Important update on Snyk Images: Obsolete software packages

• Deprecation notice for Snyk CLI Images

• Deprecation notice for obsolete Snyk Images

• Decoupling Snyk Scan from Snyk CLI Docker Images

• Decoupling Snyk Orb from Snyk CLI Docker Images

Additional resources:

• EoL Policy on images provided by Snyk Images build tool chain

• List of Snyk Images scheduled to be removed on 12th August 2024

• List of Snyk CLI Images scheduled to be removed on 12th August 2024

If you have any questions or need help please contact Snyk Support or your Technical Success Manager at the earliest.

We are pleased to announce that Reachability for JavaScript & TypeScript is now available in Early Access, bringing you another signal for evaluating risk across your npm and Yarn projects in Snyk.

Snyk’s Reachability will analyze your source code to determine whether or not a path can be found to the vulnerable function of an identified vulnerability, helping you better understand the likelihood of your project being exploited.

Whether used on its own or as part of a more holistic Risk-Based prioritization strategy using Risk Score, Reachability helps identify and prioritize higher risk vulnerabilities in your backlog of issues.

With this release, Reachability data for npm and Yarn is now available across several product surfaces:

• Projects: Filter results by Reachability to focus your list of Issues, or look for the Reachability badge to check an Issue’s reachability status at a glance.

• Risk Score: When a vulnerability is reachable, Snyk’s Risk Score will increase based on Reachability as a contextual factor.

• Reporting: View Group-level or Org-level Issue Details report to better understand your risk across a wider range of applications.

• API: Snyk’s Issues API now returns Reachability level where applicable.

To enable this feature, please see Snyk Preview.

The Computed Fixability field (which is currently used to display Fixable SCA issues on the Projects page) will replace the Auto Fixable column in Reports to ensure consistent user experience across Snyk interfaces.

The computed fixability column Indicates whether an issue can be fixed based on the vulnerability remediation paths, and holds one of the values below:

• Fixable: There is a fix for all the identified issues, meaning that all detailed paths have remediation.

• Partially fixable: The issue has upgradable paths, but not all detailed paths have remediation.

• No supported fix: The issue has no upgradable paths.

This change will be carried out in the next few days.
Please reach out to your account team for any questions, for further details about Computed Fixability, please visit Snyk documentation.

We are excited to announce a significant enhancement to Snyk Pull Requests, furthering our mission in broadening the availability of our features through multiple integrations.

Starting today, all types of Snyk PRs (Fix PRs, Backlog PRs, and Upgrade PRs) are available across all Source Control Management (SCM) platforms that Snyk provides integrations with:

• GitHub

• GitHub Enterprise

• BitBucket Cloud

• BitBucket Server

• BitBucket Connect

• GitLab

• Azure Repos

This update ensures comprehensive coverage for our customers, streamlining workflows and providing a more consistent experience with our PRs workflows.

Learn more about Snyk Pull Requests in our public documentation.